dcrat | 83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Size

1.5MB
MD5

30ee1765060720307c511e8b3b1cf8c7
SHA1

103b30995fb84053deffc1a2229b2570c785e4d9
SHA256

83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8
SHA512

6ded51d75ae802543064fb8de049ca1a18fcb7095da43c42566ebf649cedea357c09412542cd0741dc7f3581dbd14f38b76dbfa9867a8efcb317bc64a02c8fd3
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRB:kzhWhCXQFN+0IEuQgyiVKJ

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4580	schtasks.exe
		1144	schtasks.exe
		1872	schtasks.exe
		3792	schtasks.exe
		2744	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
		1568	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\services.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\services.exe\", \"C:\\PerfLogs\\sihost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\services.exe\", \"C:\\PerfLogs\\sihost.exe\", \"C:\\Windows\\twain_32\\explorer.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3452	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3452	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3452	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	3452	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3452	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3452	schtasks.exe	82

UAC bypass 3 TTPs 51 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
3944	powershell.exe
4552	powershell.exe
3292	powershell.exe
1564	powershell.exe
3664	powershell.exe
3808	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Executes dropped EXE 16 IoCs

pid	Process
556	sihost.exe
2384	sihost.exe
536	sihost.exe
2380	sihost.exe
1036	sihost.exe
4916	sihost.exe
3428	sihost.exe
4348	sihost.exe
1400	sihost.exe
3144	sihost.exe
636	sihost.exe
2384	sihost.exe
1360	sihost.exe
2828	sihost.exe
4432	sihost.exe
2960	sihost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\netdacim\\unsecapp.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\services.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twain_32\\explorer.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twain_32\\explorer.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\InputApp\\TextInputHost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\services.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\""	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\netdacim\unsecapp.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Windows\System32\wbem\netdacim\29c1c3cc0f7685	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Windows\System32\wbem\netdacim\RCXB22B.tmp	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Windows\System32\wbem\netdacim\unsecapp.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\RCXB6A2.tmp	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\services.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\services.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\c5b4cb5e9653cc	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32\explorer.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\22eafd247d37c3	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Windows\twain_32\explorer.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File created	C:\Windows\twain_32\7a0fd90576e088	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\RCXB49D.tmp	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
File opened for modification	C:\Windows\twain_32\RCXBBA5.tmp	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
4580	schtasks.exe
1144	schtasks.exe
1872	schtasks.exe
3792	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
1564	powershell.exe
3808	powershell.exe
2112	powershell.exe
4552	powershell.exe
3292	powershell.exe
3944	powershell.exe
3808	powershell.exe
3664	powershell.exe
3944	powershell.exe
3944	powershell.exe
4552	powershell.exe
1564	powershell.exe
2112	powershell.exe
3664	powershell.exe
3292	powershell.exe
556	sihost.exe
556	sihost.exe
556	sihost.exe
556	sihost.exe
556	sihost.exe
2384	sihost.exe
2384	sihost.exe
2384	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe
536	sihost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	556	sihost.exe
Token: SeDebugPrivilege	2384	sihost.exe
Token: SeDebugPrivilege	536	sihost.exe
Token: SeDebugPrivilege	2380	sihost.exe
Token: SeDebugPrivilege	1036	sihost.exe
Token: SeDebugPrivilege	4916	sihost.exe
Token: SeDebugPrivilege	3428	sihost.exe
Token: SeDebugPrivilege	4348	sihost.exe
Token: SeDebugPrivilege	1400	sihost.exe
Token: SeDebugPrivilege	3144	sihost.exe
Token: SeDebugPrivilege	636	sihost.exe
Token: SeDebugPrivilege	2384	sihost.exe
Token: SeDebugPrivilege	1360	sihost.exe
Token: SeDebugPrivilege	2828	sihost.exe
Token: SeDebugPrivilege	4432	sihost.exe
Token: SeDebugPrivilege	2960	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3292	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	89
PID 2116 wrote to memory of 3292	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	89
PID 2116 wrote to memory of 1564	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	90
PID 2116 wrote to memory of 1564	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	90
PID 2116 wrote to memory of 3664	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	91
PID 2116 wrote to memory of 3664	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	91
PID 2116 wrote to memory of 3808	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	92
PID 2116 wrote to memory of 3808	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	92
PID 2116 wrote to memory of 2112	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	93
PID 2116 wrote to memory of 2112	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	93
PID 2116 wrote to memory of 3944	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	94
PID 2116 wrote to memory of 3944	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	94
PID 2116 wrote to memory of 4552	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	95
PID 2116 wrote to memory of 4552	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	95
PID 2116 wrote to memory of 464	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	102
PID 2116 wrote to memory of 464	2116	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe	102
PID 464 wrote to memory of 2988	464	cmd.exe	105
PID 464 wrote to memory of 2988	464	cmd.exe	105
PID 464 wrote to memory of 556	464	cmd.exe	108
PID 464 wrote to memory of 556	464	cmd.exe	108
PID 556 wrote to memory of 4804	556	sihost.exe	110
PID 556 wrote to memory of 4804	556	sihost.exe	110
PID 556 wrote to memory of 1832	556	sihost.exe	111
PID 556 wrote to memory of 1832	556	sihost.exe	111
PID 4804 wrote to memory of 2384	4804	WScript.exe	113
PID 4804 wrote to memory of 2384	4804	WScript.exe	113
PID 2384 wrote to memory of 2928	2384	sihost.exe	114
PID 2384 wrote to memory of 2928	2384	sihost.exe	114
PID 2384 wrote to memory of 3432	2384	sihost.exe	116
PID 2384 wrote to memory of 3432	2384	sihost.exe	116
PID 2928 wrote to memory of 536	2928	WScript.exe	118
PID 2928 wrote to memory of 536	2928	WScript.exe	118
PID 536 wrote to memory of 1576	536	sihost.exe	119
PID 536 wrote to memory of 1576	536	sihost.exe	119
PID 536 wrote to memory of 1516	536	sihost.exe	120
PID 536 wrote to memory of 1516	536	sihost.exe	120
PID 1576 wrote to memory of 2380	1576	WScript.exe	123
PID 1576 wrote to memory of 2380	1576	WScript.exe	123
PID 2380 wrote to memory of 4160	2380	sihost.exe	124
PID 2380 wrote to memory of 4160	2380	sihost.exe	124
PID 2380 wrote to memory of 1708	2380	sihost.exe	125
PID 2380 wrote to memory of 1708	2380	sihost.exe	125
PID 4160 wrote to memory of 1036	4160	WScript.exe	126
PID 4160 wrote to memory of 1036	4160	WScript.exe	126
PID 1036 wrote to memory of 2652	1036	sihost.exe	127
PID 1036 wrote to memory of 2652	1036	sihost.exe	127
PID 1036 wrote to memory of 4460	1036	sihost.exe	128
PID 1036 wrote to memory of 4460	1036	sihost.exe	128
PID 2652 wrote to memory of 4916	2652	WScript.exe	129
PID 2652 wrote to memory of 4916	2652	WScript.exe	129
PID 4916 wrote to memory of 312	4916	sihost.exe	130
PID 4916 wrote to memory of 312	4916	sihost.exe	130
PID 4916 wrote to memory of 5012	4916	sihost.exe	131
PID 4916 wrote to memory of 5012	4916	sihost.exe	131
PID 312 wrote to memory of 3428	312	WScript.exe	132
PID 312 wrote to memory of 3428	312	WScript.exe	132
PID 3428 wrote to memory of 4292	3428	sihost.exe	133
PID 3428 wrote to memory of 4292	3428	sihost.exe	133
PID 3428 wrote to memory of 4356	3428	sihost.exe	134
PID 3428 wrote to memory of 4356	3428	sihost.exe	134
PID 4292 wrote to memory of 4348	4292	WScript.exe	135
PID 4292 wrote to memory of 4348	4292	WScript.exe	135
PID 4348 wrote to memory of 4372	4348	sihost.exe	136
PID 4348 wrote to memory of 4372	4348	sihost.exe	136

System policy modification 1 TTPs 51 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe
"C:\Users\Admin\AppData\Local\Temp\83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\netdacim\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MFhuFoaoOh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2988
- - C:\PerfLogs\sihost.exe
    "C:\PerfLogs\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce206ae3-2d98-4dfe-b57f-ab7941aba3c2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2384
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90106618-7ec6-43f6-9d7f-be579c85d6ac.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d1f3adf-a579-453a-bcd5-ca6dd981c64d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd4b8128-03a9-46b7-b4d3-0754a72b5fd4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bae853a5-0afe-46e2-8789-c9e0bda6e60e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aa59a87-48bd-4c37-86c6-29287475e898.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbbc1553-f62a-4ecb-b09e-1c0a76e71fc0.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\595af05c-9461-43c9-bbea-c942aafc517c.vbs"
        18⤵
        
        PID:4372
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a531dfed-b38d-4eb3-937f-f02737d67cf8.vbs"
        20⤵
        
        PID:4032
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14ebbf35-8a5f-42a9-87b8-159fca5b1f3b.vbs"
        22⤵
        
        PID:516
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\498eaa45-d9b5-438d-852f-0ce644191109.vbs"
        24⤵
        
        PID:1352
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b9d05a9-8028-4754-9466-b40c83faa1be.vbs"
        26⤵
        
        PID:2692
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86b3ef89-7094-42ff-a594-840183d4f105.vbs"
        28⤵
        
        PID:4700
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7259cc02-2c2f-4b79-bcd8-8b16e5aa084c.vbs"
        30⤵
        
        PID:2368
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\744d6ddd-248a-4a32-b583-597e2d11e4d4.vbs"
        32⤵
        
        PID:4768
        
        C:\PerfLogs\sihost.exe
        
        C:\PerfLogs\sihost.exe
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d008048f-6dd8-43b5-9a4c-ae1552eee973.vbs"
        34⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c023cc2-d2bf-4cec-a4bb-87dcc1db3c25.vbs"
        34⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6cd7fe8-2e11-48f0-91e9-47c2ae5c2457.vbs"
        32⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4f4fe96-ec28-462e-a1d0-ea26540988c3.vbs"
        30⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\767b2b26-ffeb-44a5-b470-768c2cff974b.vbs"
        28⤵
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c15d66e-bccd-4446-b9d9-19f94d3067c5.vbs"
        26⤵
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d606e118-1897-4f58-bde9-491871a95607.vbs"
        24⤵
        
        PID:212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad3c4818-49b9-4095-acae-127d53188250.vbs"
        22⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eae6d45-ccf6-46e5-864d-18375cbdab06.vbs"
        20⤵
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c74fc7-21b5-42fe-aae0-9692c866358f.vbs"
        18⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95efd5b-aa97-4d75-8f0b-83041c23c319.vbs"
        16⤵
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a90ccc92-ba66-4a00-aad2-14f61964b869.vbs"
        14⤵
        
        PID:5012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd42740-b13e-4b2f-9714-bf787d9b1c20.vbs"
        12⤵
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\721af4b8-8703-47d3-ad04-f4a4f409ef77.vbs"
        10⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b41f07e2-a091-4256-86c5-c3b5f5f475e5.vbs"
        8⤵
        
        PID:1516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13039099-5d97-46e5-9e38-facdec81e1d0.vbs"
        6⤵
        
        PID:3432
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75937d7a-77cd-4c0d-8138-f3b6ff4e6c8c.vbs"
      4⤵
      PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\netdacim\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\sihost.exe

Filesize
1.5MB

MD5
30ee1765060720307c511e8b3b1cf8c7

SHA1
103b30995fb84053deffc1a2229b2570c785e4d9

SHA256
83cd589350950cab35679c6ffacda903fbe2503b1f3bad2382681bea995c3ba8

SHA512
6ded51d75ae802543064fb8de049ca1a18fcb7095da43c42566ebf649cedea357c09412542cd0741dc7f3581dbd14f38b76dbfa9867a8efcb317bc64a02c8fd3

Download Submit
C:\PerfLogs\sihost.exe

Filesize
1.5MB

MD5
c745327ab53df76b478b94440b6224fc

SHA1
c06ac96b5a80f80f60e945343583ee7278cdab0b

SHA256
8ee753ce00f6c131999abbffbdd5a8dc02265140f7e67a56cad34b910a142a2c

SHA512
e5c844b0cb3ffeb3cecbe8466c06551405d7e8a85541a9b85a58ba81d26b205cd21421ad79d9dd213621e6206fe4b7be6046cd69fbfa37531a1a90289fc28c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\05734cb0d3a198f3df4c354d71c6d3332893d909.exe

Filesize
1.5MB

MD5
28cb21ded4eb921cfa63abed1aa7f475

SHA1
41810c451f1c1fd2414328b7e9fc9641cb412d38

SHA256
11fb24ddc2f095b2afe2aab1a0f0d10523fce037db3dd5b1c4f8a2fba92f52d7

SHA512
50dfb49ee353878b08d0cc2c8a87cd8e528e90845f2640455156229b70b154701f7fe0dcb5958e67da78686f220c2083693fe36c5f7a75cc619fb95079173da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\14ebbf35-8a5f-42a9-87b8-159fca5b1f3b.vbs

Filesize
698B

MD5
078c5325c574a0f1c41a8fa9932fe151

SHA1
478492c8b5fcbed147959cbdf6fc05f444124d4e

SHA256
bdc00cf2710544d72696a42318c7dcdc69ed99ebef1249c3883d0448d8f1a13a

SHA512
b25a5db0e9c3ad9ee8a35c95ba8b9d690638b30243dd3e19da5e4feb9d3aa19a458fdb555305eb53e1168546411e0f12af8e913cecfad2a3f320e8a79f99e1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d1f3adf-a579-453a-bcd5-ca6dd981c64d.vbs

Filesize
697B

MD5
c1c599f67637221ff789e8289c498a10

SHA1
d00ee6167613986d2784cfcf784507bb0194bf53

SHA256
c08f5bec36651a142fde018beeb5d82383462e6f43c3300329fa7204d2582dfa

SHA512
e5471050abfcee8ff54f6626cb40d575bdf4d38452732c630405707f7bbb7c002d6523eb7496dc82ece43f402f2ef688508f3c8b12d97949f6bb3eca7a07627e

Download Submit
C:\Users\Admin\AppData\Local\Temp\498eaa45-d9b5-438d-852f-0ce644191109.vbs

Filesize
697B

MD5
1d0aa843ff9810a40061e80ebb445c2a

SHA1
10e4357a7f8f9efa8507b66048f17a9ee3751ac2

SHA256
f3b62c1e4d4c343330d3d2abc1b809a9d529b0931a366865f203e90c63c77b71

SHA512
669b525cb9925103347c8ccdb592c38e31dbabba7cd75b63f4b4073998c4fa5122cf2413fa4f0e143b9328e09b117d472be9aba9bb020c7ed505b9881ca8b902

Download Submit
C:\Users\Admin\AppData\Local\Temp\595af05c-9461-43c9-bbea-c942aafc517c.vbs

Filesize
698B

MD5
9c5c6d0bbdf810525665581d77922155

SHA1
6263cf12d7565d48aecf8d150abb03e84764da8e

SHA256
a408fe1246d6f87300da2e9a7e1036bd4213aabf99df51ef30fc8522fd71d124

SHA512
53214e2d661a710cfe2d8c1d1f059d8092d98fe48c1e410a0fdb6b6f1fb3c72d68fa38af7f47679a431900ed6938b4976a90dd298140ad81a601bc35830e9b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7259cc02-2c2f-4b79-bcd8-8b16e5aa084c.vbs

Filesize
698B

MD5
2ac9af101c69a24a09c7bafd8cd1f0a9

SHA1
e488ba2d97de8a7b5a9a39109c2137fa78531f78

SHA256
24e079be9759bc95389b1ac766f876395118a7a6fe90c3183c720f9811674370

SHA512
4b60e3f2ee03133a71c5053317c270264711bdcd04d1ec31fe498f8cc747919fa40f9761e891a5301b5d5b7333210f7c2eae09ae1d5e272c8e5ba3986e1863d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\75937d7a-77cd-4c0d-8138-f3b6ff4e6c8c.vbs

Filesize
474B

MD5
6c316c108de2b49f736ebec71447e336

SHA1
c0f89df08bdc761872f8e34d1094cb7c78b1a7f7

SHA256
cb8aeb6e96f268ecce7924fb3591a82afa12656644b8e821a9be379c315cd4b9

SHA512
05345ef2e80993183a8399c5e1791a561bb1d7446b943718ccc0032d43ee6c41b9f0079a8a97a8722492c27f4ddd8786ef96168384868c9f1d1b4d9cbbd44553

Download Submit
C:\Users\Admin\AppData\Local\Temp\86b3ef89-7094-42ff-a594-840183d4f105.vbs

Filesize
698B

MD5
f5fc151cfc124acdafb8592a0bed767e

SHA1
7c51be810b6e7c9e6b29ad3b91baa6a0706d6cae

SHA256
caa39244fe95fa9d5aeb5884c62c03eb3659c0feb07fb874e063084f0da32089

SHA512
cc9e139a6233182a5d11c9a7cf88350f5690d461c24b1a6f1f9558703c10c6251e940d386dd069fc119df291e6268242c2928fe7ffe8383561e871d34e6712af

Download Submit
C:\Users\Admin\AppData\Local\Temp\90106618-7ec6-43f6-9d7f-be579c85d6ac.vbs

Filesize
698B

MD5
d804068ef8057e7ef3c28d90ce2e1734

SHA1
7c3559fba07acf6474cd86a29506bc00be225563

SHA256
dc45075a6f18a41c38a569f3beae740c66b126d01d7ed5d496454e4e2c6802f8

SHA512
eae531e2515085ef1e00e1ea2d5838cdf027deb68397139180002550ed02ff400758495b7bf57dc2b24c979bfd3fe73fc3ee46b12b99ee555fb2050881e3d330

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aa59a87-48bd-4c37-86c6-29287475e898.vbs

Filesize
698B

MD5
0127cc4c3e257d7b6525a28b33039dc6

SHA1
09726152d49b5b14379ad22de91986f2cd6cbeb8

SHA256
8ac4c41ec8367af49b1fcaea58d76d884506c99c307c1c80008ff32fd9fe2a8c

SHA512
2cf7bd7e5073927e2d6dfd445901a45aee360e4f711a739f1e2c96d1344ba11b2ff3163c20eb7f9c22bb5a9e6f15de2688997a3dfe095c57281dc8ab0104fe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFhuFoaoOh.bat

Filesize
186B

MD5
5e80c6f6d302bf28583bf5ea925dc49f

SHA1
abf3860b8ff822431f5450ab062b82c54485cbe2

SHA256
5fbea2321579dcdb91b38135a05f2f894834b29cd41f556eeca663764bfb32a6

SHA512
a36b31b98c2a47938c659ed5aa042aca863eb1ecbfffc857bb43cac3acee024ac51965dab41d1f6dfaa932112d5621d084e26d63bf6dc2e01fa5b43e63c54207

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oarhche1.ybd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a531dfed-b38d-4eb3-937f-f02737d67cf8.vbs

Filesize
698B

MD5
a6443a01f8fd39fbcf9f5ae8a72c9d4c

SHA1
68f1f2452f11f109df347e37d781a93b085bbdb3

SHA256
9dddfda347cf2d163f49532c8b577178a5364f393591be8dfecc4e6c06870fb6

SHA512
ad74f8d9dac40cadab57c2374edf1c42ce17ef4fa9bc495ebc61541486d6e90f6881fc76cdbe77fb8eb93e3828e83d2024e04c39de2a6e6474080c2e41d58d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\bae853a5-0afe-46e2-8789-c9e0bda6e60e.vbs

Filesize
698B

MD5
02820137ecbd37aa86042de318367dcd

SHA1
0eb39859a07998af75e19bb2732bef52b0fa2556

SHA256
c59d314cfddef6e2b7520c1e3235190db0357bb6af3658761554d58a2de404dd

SHA512
d7d7baabee751330d6aff72a5bbde8fa9f44b5781ae8b489b5c6a813d9795a5a10b0b74c139419cb7e26732dc0fc4afb2045a81fd612f840cec96fd9ed8ad74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbbc1553-f62a-4ecb-b09e-1c0a76e71fc0.vbs

Filesize
698B

MD5
06119a5a8e385eafeb9583de31805e51

SHA1
85f687235f594b347696989145c701366e2cef6c

SHA256
f3b376b1c9c38dbd50cd976b3161b8c454964fed553473dcea857cb636a20adb

SHA512
d1b88acfce20c748771f4d3786c09c0322739d72032921db39275ddb60cb4a515812e90aae164a66c4e0f39fe2c81ea8d8e4260a988e202136172320d4df4c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd4b8128-03a9-46b7-b4d3-0754a72b5fd4.vbs

Filesize
698B

MD5
eb872de25f3a0f3988212472f613c6e1

SHA1
7a10305374a3d580875eae244555ae11c11c76bc

SHA256
edd85c44eec236a840d71e39eae9ee35dec1e13dadb366d72b481b5be3ed55ef

SHA512
6ef09655cc880ea70a3c2b7ad20c81e652c68e75f82a647b53d9500231351a960d95476d04a168e1422f3005461a82c8e0fb4caa5bed712fe210b5959c9e6169

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce206ae3-2d98-4dfe-b57f-ab7941aba3c2.vbs

Filesize
697B

MD5
0a09c6be9e5917507cff132b8d91eeec

SHA1
689859cf62c68840f5f7c7c68f385fa6c09fa809

SHA256
b4475e189204d80089507603e86b9ac5e6fd3c62b96c30d3fd74a1b1a3d1d714

SHA512
547a4fa4f5cf01e3f6545c28b65e6db0e2604dbb2966fd68cb8ed1ea9ed6c6228e0ceef7796a8cb81106534dfd231bffe4ad6c5bcd847fd54e85a2c85567c5f9

Download Submit
memory/536-190-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/556-164-0x0000000000900000-0x0000000000A7E000-memory.dmp

Filesize
1.5MB

Download
memory/556-165-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/1564-92-0x00000210FD030000-0x00000210FD052000-memory.dmp

Filesize
136KB

Download
memory/2116-11-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/2116-1-0x0000000000E90000-0x000000000100E000-memory.dmp

Filesize
1.5MB

Download
memory/2116-25-0x00007FF929F60000-0x00007FF92AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-24-0x00007FF929F60000-0x00007FF92AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-21-0x000000001BD80000-0x000000001BD88000-memory.dmp

Filesize
32KB

Download
memory/2116-20-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/2116-18-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/2116-17-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/2116-16-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/2116-15-0x000000001BBB0000-0x000000001BBBA000-memory.dmp

Filesize
40KB

Download
memory/2116-13-0x000000001BB90000-0x000000001BB9A000-memory.dmp

Filesize
40KB

Download
memory/2116-14-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

Filesize
48KB

Download
memory/2116-12-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/2116-91-0x00007FF929F60000-0x00007FF92AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-8-0x00000000031D0000-0x00000000031D8000-memory.dmp

Filesize
32KB

Download
memory/2116-10-0x00000000031F0000-0x0000000003200000-memory.dmp

Filesize
64KB

Download
memory/2116-2-0x00007FF929F60000-0x00007FF92AA21000-memory.dmp

Filesize
10.8MB

Download
memory/2116-9-0x00000000031E0000-0x00000000031EC000-memory.dmp

Filesize
48KB

Download
memory/2116-0-0x00007FF929F63000-0x00007FF929F65000-memory.dmp

Filesize
8KB

Download
memory/2116-6-0x00000000018F0000-0x00000000018FA000-memory.dmp

Filesize
40KB

Download
memory/2116-7-0x0000000001910000-0x000000000191C000-memory.dmp

Filesize
48KB

Download
memory/2116-5-0x0000000001900000-0x000000000190C000-memory.dmp

Filesize
48KB

Download
memory/2116-4-0x00000000017D0000-0x00000000017E2000-memory.dmp

Filesize
72KB

Download
memory/2116-3-0x00000000017C0000-0x00000000017C8000-memory.dmp

Filesize
32KB

Download
memory/2384-178-0x0000000001980000-0x0000000001992000-memory.dmp

Filesize
72KB

Download
memory/2960-331-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/4432-323-0x0000000003300000-0x0000000003312000-memory.dmp

Filesize
72KB

Download
memory/4916-224-0x0000000001410000-0x0000000001422000-memory.dmp

Filesize
72KB

Download